title | subtitle | header-includes |
---|---|---|
Correct Horse Battery Staple |
Passwords and other Fun |
<style> .container{ display: flex; } .col { flex: 1; } </style>
|
Introduction
10 Print "Hello World"
::: {.container} :::: {.col}
::::
:::: {.col}
- Dan Goldsmith
- CD Ethical Hacking
- CL Technical Computing :::: :::
10 Print "Hello World"
::: {.container} :::: {.col} { height=450px } :::: :::: {.col}
- Dan Goldsmith
- CD Ethical Hacking
- CL Technical Computing
- Computer Scientist. ::::
:::
Ethical Hacking @ CU
::: {.container} :::: {.col}
- EH Degree for 15 or so years
- Strong focus on Practical Aspects.
- Excellent Student CTF team. ::::
You teach What???
- Cyber is essential for everyday lives.
- Good guys who can think like the bad guys is a good thing.
- If my folks break into your system and tell you how to fix it, its much better than the bad guys doing it
What I Do
But Its not just Hacking we teach
- Security Operations.
- Digital Forensics
- Legal, Ethical and Business, Factors
- Network Security
- Computer Science.
Fancy a Job?
- Hard but Rewarding.
- Not recruitment at the moment
- If you are interested come talk to me, ready for the next round.
Talk Overview
- Talk about a common security issue. Passwords
- What they are
- How we can chose good ones
- Some of the things not to do.
- Hack Some Things
Passwords
Passwords
History
::: {.container} :::: {.col}
- Roman Empire: Watchwords
- Prohibition: Get access to the pub
::::
First Computer Passwords
- 1960: First computer password. (CTSS)
- To Control access to a shared system.
:::{.element: class="fragment fade-up"}
- 1962: The first password Theft....
- Users had a limited weekly time allocation.
- Allen Scherr needed more time for his PHD.
- Passwords Stored in plain text. == Print the password file. :::
A Necessary Evil
- Estimate we now have 100-150 passwords to remember
- Biometrics / Keys / Certificate based auth trends
- BUT: The easiest and most common fallback if these fail.
Don't be green
- 80% of data breaches due to reused, weak or stolen passwords.
Most Common Passwords
- What is the most common password
::: incremental
- Off to seclists https://github.com/danielmiessler/SecLists/blob/master/Passwords/2023-200_most_used_passwords.txt
:::
NCSC List (2019)
Storing Passwords
- Hopefully not plain text
- Hashes are used to store passwords
- "Impossible" to reverse hash value to derive passwords
- Not all hashes are equal.
Hashing Issue
::: incremental
- To Cyberchef....
- To Crackstation :::
Password Strategies
So What makes a good password?
- Suggestions?
Uppercase, Lowercase, Numbers and Symbols?
::: incremental
- swordfish
- Swordfish
- Swordf1sh / Swordfish1
- Swordf1sh! :::
Why this?
- Trying to introduce complexity, make them harder to guess.
- Lowercase == 26 Letters
- Upper Lower == 52
- Common Symbols, Numbers etc ~ 100
Cracking Passwords
-
Try to guess the stored password
- a, b, c, d
- aa, ab, ac, ad ....
-
2018 RTX2080 == 40 Billion guesses a second
-
2022 RTX4090 == 164 Billion guesses a second.
More Complex == Harder to guess
Cracking Passwords
The Ideal Password
::: incremental
Nksi%c3&9#pZ$hn$jB9@bzf^1#ZKtnl1
- Good luck remembering that :::
The 3 / 4 Words approach
- Recommended by NCSC
- Pick 4 Random Words
- Use these as a passphrase
Correct Horse Battery Staple
So We are safe right ?
That ones in the List...
::: incremental
- It depends on the password cracking strategy
- If we use letter by letter, then the length is our friend
- If we assume using the 4 words strategy
- 170,000 words in the English Dictionary
- 170,000 * 4 == 680,000 Guesses == Instant :::
Phishing for Information
- Rather than brute force, use social engineering
- Folk like passwords to be meaningful to them.
- Pornstar / Starwars names
- Numbers / Symbols are a speed-bump
Being a bit sneaky?
- Perhaps they have use the password before?
- Of course that information is only available to l33t Hax0rs right?
A Better Approach.
Password Managers
- Personally, I recommend a password manager
- Remember one or two passwords.
- Rest are randomly generated (so strong)
- Will also avoid re-use.
Password Managers
- Lots of choice.
- Still a healthy debate over wisdom of keeping things in a desirable target
- Please Keep Autofill turned off.
MFA
- We also should use MFA
- Phone app, or similar used alongside password
- Challenge -> Response when logging in.
MFA
- Extra layer of defence, but not without its own problems.
- Can be a PITA.
- Buildings that are Faraday Cages
- Not 100% Secure
- Of course, if your phone with password manager gets stolen...
A Bit of Fun
Stealing Passwords from a Password Manager
- Combining a web vuln to snarf credentials
- Code is classic sort of thing GPT / Students write.
The Issue
- Cross Site Scripting (XSS)
- Let me inject code into the page, run on your browser
Version 1: Redirect
- The Classic "My Facebook got hacked"
- Ask the browser to load a different Page
<script>window.location="http://evil.org"</script>
Version 2: Fake login Page
- Password manager detects login fields
- Looks at site URL and checks for known passwords
- Offers (or worse) auto completes.
Version 3: Hidden Login Page.
- Thats a bit Noticeable though.
- We can hide fake page from the user, but browser will still see it.
Summary
Summary
- Passwords an essential part of life
- Often easily guessable
- How to make them hard to guess, but easy to remember?
Summary
- Longer is Better
- Don't Reuse
- Avoid common words
Summary
- Password manager isn't ideal, but its a good compromise
- Makes it easy to have long, random passwords
- Avoids Re-use
- MFA is also a great idea.